[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DEFAULTQS configuration help



Thanks Sampo.

I will look to incorporate your suggestion.

Regards,
Karthik

On 11/22/2013 3:35 PM, sampo@xxxxxxxxx wrote:
Karthik Sudarshan <ksudarshan@xxxxxxxxxx> said:
     Thanks for the reply. I got it to work with the change that you
suggested.

My mistake was a silly one, but will mention it here so that if others make
a similar one, they can correct it as well : I was inadvertently writing
the code as 10 (numeric one) instead of l0 (lowercase L) !!
:-)

I have a follow-up question w.r.t the RelayState.

If I have a html page then the value of the relay state will be available
as a query parameter (as mentioned in the documentation). However, if I set
the DEFAULTQS, then I would have to hard code the value of "fr". Is my
understanding correct?
Right.

If this is the correct assumption, then is that the suggested way - to
direct the user always to the same landing page after SSO, or is the
expectation that there will be a custom idpsel page, which will do an
automatic submit of the form so that the user does not need to do anything?
Both are possible. Basically DEFAULTQS is config time option and
not very dynamic so you would be constrained to always same landing
page.

If you need something fancier, you would need the "magic" idpsel page
or some other webserver level (rewrite rule?) or php level
magic that manipulates the query string correctly.

For example, if you show a web page to unauthenticated users, with
several links to follow, you could generate each link with a query
string that preselects the IdP and supplies fr that points to the
final destination. Generating such page with php would not be
difficult (see how the magic aura is starting to wear off).

In fact the link page could even be entirely static as long as
you manually supply the magically correct URLs.

Cheers,
--Sampo

Regards,
Karthik


On Thu, Nov 21, 2013 at 5:29 PM, <sampo@xxxxxxxxx> wrote:

Karthik Sudarshan <ksudarshan@xxxxxxxxxx> said:
Hi all,
     I have downloaded the latest version of zxid (1.16) and compiled
Rest of the list: sorry folks, I did not announce it, but there is a
new release available :-)

There will be another before christmas.

against Apache 2.2  on Ubuntu to get the mod_auth_saml.so. I have
registered an IDP in my COT using the zxcot utility. I can see that in my
dropdown list on the IDP selection page as well.

I want to be able to bypass the IDP selection page and directly go to the
IDP login page. For that I used the DEFAULTQS configuration option and it
does not seem to work.

My option in the apache conf file for the <Location> is  as below:

DEFAULTQS=10https://<hostname>/<path>/metadata.xml
The correct syntax is the query string syntax as if a form
had been submitted. Try the following

DEFAULTQS=l0https://<host>/<path>/idp.xml=1%26fp=1

Please note

1. The l0... stuff must end with "=1"

2. If there are any other fields you would like to pass, you need
    to include them in the query string, but you need to URI escape
    characters, such as ampersand ("&") with %26 (percent 26).

3. One other field in particular that you may want to pass is
    fr (aka RelayState) which will control the redirection
    after SSO if you have configured REDIR_TO_CONTENT=1

Cheers,
--Sampo

I tried to give this in the zxid.conf file as well, and that didn't work
either.

Can someone please suggest how to set this configuration correctly?

Regards,
Karthik

--

------------------------------
<http://www.xtivia.com>  <http://www.virtual-dba.com/> <
http://www.virtual-dba.com/><http://www.virtual-asa.com/>
   <http://www.facebook.com/Xtivia>  <http://twitter.com/#!/xtivia> <
http://www.linkedin.com/company/xtivia>
   <http://blogs.xtivia.com>  <http://www.xtivia.com/resources/webinars>
*Xtivia Virtual-Services (DBA/ASA) Customer Support: (800) 205-7537*
------------------------------
This e-mail may contain confidential or privileged information. If you
believe you have received this e-mail in error, please notify the sender
by
reply e-mail and then delete this e-mail immediately.


--

------------------------------
<http://www.xtivia.com>  <http://www.virtual-dba.com/> <http://www.virtual-dba.com/><http://www.virtual-asa.com/>
   <http://www.facebook.com/Xtivia>  <http://twitter.com/#!/xtivia> <http://www.linkedin.com/company/xtivia>
   <http://blogs.xtivia.com>  <http://www.xtivia.com/resources/webinars>
*Xtivia Virtual-Services (DBA/ASA) Customer Support: (800) 205-7537*
------------------------------
This e-mail may contain confidential or privileged information. If you
believe you have received this e-mail in error, please notify the sender by
reply e-mail and then delete this e-mail immediately.



--

------------------------------
<http://www.xtivia.com>  <http://www.virtual-dba.com/> <http://www.virtual-dba.com/><http://www.virtual-asa.com/>
 <http://www.facebook.com/Xtivia>  <http://twitter.com/#!/xtivia> <http://www.linkedin.com/company/xtivia>
 <http://blogs.xtivia.com>  <http://www.xtivia.com/resources/webinars>
*Xtivia Virtual-Services (DBA/ASA) Customer Support: (800) 205-7537*
------------------------------
This e-mail may contain confidential or privileged information. If you believe you have received this e-mail in error, please notify the sender by reply e-mail and then delete this e-mail immediately.